Antivirus and Content Security Cluster Solution

8/7/2019 Antivirus and Content Security Cluster Solution

1/20

Contents 1.Overture

2.The Security Threat2.1 Viruses Attack Vital Resources2.2 Beyond the Desktop2.3 Gateway Security

3. The Effective Security Solution3.1 Clustering for Gateway

performance3.2 Antivirus Clustering in Practice

3.3 Vectoring Configuration3.4 Gateway / Proxy configuration3.5 Split Gateway / Task specific

clusters4. Stone Beat Antivirus A Virtue

4.1 Introduction4.2 Gears

4.2.1 Hardware

4.2.2 Software4.2.2.1 SecurityCluster

Module4.2.2.2 Management GUI4.2.2.3 Configuration GUI

5. Conclusion6. Bibliography

Security Cluster - 1 -


2/20

OvertureMany organizations are working hard to secure

themselves from the growing threats of computer viruses,Trojan horses, hacker agents, worms, and other maliciouscode. Yet the headlines are dominated with news of thelatest computer related disaster more frequently than at anytime before. This document intends to review this problemand propose several possible solutions. The antivirusindustry has been responding to these threats with ever-quicker responses to the rapid onslaught of malicious code,while corporations establish strict virus protection policies.Yet the number of related disasters continues to grow with

over $12 billion in damage in the first 6 months of 2000alone. It is proposed that the problem may reside in thelackof more comprehensive protection measures.

Placing an organizations entire antivirus defense at thedesktop level is similar to locking all of the doors in ahouse while leaving windows and other entry points open.While desktop antivirus is a necessary protection against the

traditional computer virus that was typically transferred byfloppy disks, CDs etc., and the primary virus security optionfor highly mobile laptop users, it is important to understandthe limitations of this single point of defense. Virus writershave already seen this trend in protection, and haveswitched their strategies to leverage other entry points intothe enterprise.

The International Computer Security Association (ISCA)recently published the results of its annual Computer Virus

Prevalence Survey 2000, which indicates that 87% of allmajor virus infections are now transmitted through e-mail.And given the speed of this electronic communication, thesenewer computer viruses can spread much faster than thetime required to update all of the desktop and laptopsystems in a medium or large organization. Recognizing this



3/20

change in behavior, Trend Micro developed patentedtechnologies in the mid-1990s to stop viruses transmittedthrough email and the Internet before they could reach thedesktop. While protecting 54% of the worlds Internet

gateways, Trend Micro recognized the need for a scalablehigh-availability antivirus security solution, and haspartnered with Stonesoft to help provide it. Stonesoft,building on the tremendously successful clusteringtechnologyof its StoneBeat FullCluster software, created theStoneBeat SecurityCluster product designed to provide thebenefits of clustering technology to content securitysolutions such as Trend Micros InterScan Virus Wall.Together, the StoneBeat Security Cluster and InterScan VirusWall provide a scalable, highperformance, high-availability

clustering solution for antivirus and content scanning. Theseproven, award-winning technologies can meet the needs ofthe most demanding of environments, while their respectivefocus on manageability has automated many tasks andsimplified administrative functions through easy-to-useinterfaces developed through years of customer feedback.

The Security ThreatThe Internet Age has arrived, bringing free flowing

information to people and businesses throughout the world.And while it has unleashed new business, education,research, and communication opportunities, it has alsointroduced an explosion of new security threats. Manyrecent attacks have received worldwide attention includingthe Melissa virus, Love Letter, Bubble Boy, and numerous

Denial of Service (DoS) attacks. Reuters reported that over$12 billion in damage was caused by computer viruses inthe first 6 months of the year 2000 alone. According toTippets Law of Malicious Code, the virus problem doublesabout every 14 months. Taking into consideration a numberof figures from worldwide research along with its in-housenumbers, Trend Micro estimates that the total number of



4/20


5/20

A Trojan horse is an apparently harmless program,often in the form of an e-mail message attachment, whichcontains malicious code. Once a Trojan gets into a computeror computer network, it can unleash a virus or other

malicious code to take control of the computerinfrastructure, compromise data or inflict other damage. Forexample, the infamous Melissa virus that struck on March26, 1999 is a good example of a harmful Trojan. Attached toa harmless-looking e-mail message, the virus accessedMicrosoft Outlook, replicated itself, and sent itself to manyother users listed in the recipients e-mail address book. Theresulting e-mail flurry caused many Microsoft Exchangeservers to shut down, while user mailboxes were floodedwith bogus messages.

Malicious code, consisting ofapplets written in Java orActiveX controls, is a new threatposed by the Internet. Codefrom these active content technologies often resides on Webpages and enters computer systems via the Internet toaccess user information. This access can facilitate legitimatebusiness or other transactions or can execute maliciousactivities such as erasing data stored on hard disks or

surreptitiously copying and transmitting data toeavesdropping third parties. If a virus infects a revenue-generating e-commerce application, resulting in downtime,the cost to the business could potentially reach millions ofdollars. However, these threats not only compromiseenterprise computers by rapidly infecting entire networks,they can also invite unauthorized access to sensitiveenterprise information resources.

Beyond the Desktop

More desktops are protected today with antivirussoftware than at any other time. The vast majority of largecorporations have implemented comprehensive antivirus



6/20

security programs for their networked computers. Yet wehave recently seen more widespread damage from majorvirus outbreaks than in any other time in history. Computerviruses represent the greatest security concern for IT

managers today (Figure 2).

Figure 2: Business Internet Users' Security Fears

Source: Information Week Global Information Security Survey of 2700 Security Professionals, July,1999

It is easy to see that desktop antivirus alone cannotaddress the overall threat. This is why IT managers areconsidering solutions at the gateway to block virusesbefore they can reach the desktop. They are doing thisbecause they have identified the reasons that desktopantivirus has failed as a single, sole security measure.

Desktop antivirus solutions, when properly installed andmaintained, are highly effective protection against virusthreats. However, in the real world, desktop systems areconstantly changing with the installation of new software,software updates, and configuration changes. These caninterfere with the antivirus softwares ability to detectviruses by unintentionally deactivating or blocking portions



7/20

of the software that would otherwise detect a particularthreat. Most often the virus pattern files the database thatthe antivirus software uses to identify what is, and is not, avirus are out of date because the update mechanism has

been interfered with. Since the antivirus software runsquietly in the background, the user is unaware when itstops running in the background until they get a virus.Part of the solution has been addressed through thedevelopment of office oriented solutions instead ofdesktop solutions. In addition to providing centralizedmanagement, these solutions incorporate a number oftechniques that enable IT managers to verify theeffectiveness of each desktop systems antivirus installation,force updates, block user access to the antivirus software

and perform other functions to insure that each desktopsystem is current and running correctly.

Gateway Security

The largest challenge facing IT managers regardingvirus security, particularly in large networks, is the responsetime required to update all of the networks PCs when a newvirus outbreak occurs. When a threat like the Love Lettervirus can spread around the world in less than one hour, thetime required to update all networked PCs is completelyinadequate. And such an inadequacy can cost a businessmillions of dollars in damage. On the other hand, a hand fullof Internet and e-mail gateways can be updated in a matterof minutes. With the gateways monitoring all inbound trafficfor potential threats, the desktop update process can take

place to provide protection from the floppy disk or CD-ROM auser may receive tomorrow from someone with an infectedsystem. IT managers need to have a complete antivirussecurity solution, but with the numerous virus outbreaks thathave occurred recently, it is clear that they must implementsecurity systems that give them the control and the abilityto respond in a major disaster situation. The gateway has



8/20

become the most vulnerable point for Internet basedthreats. But the gateway serves mission critical businessfunctions. So IT managers have several key concerns aboutimplementing such a gateway solution.

Stability Is the antivirus solution going to worksmoothly with the other hardware, software, firewalland network systems?

Availability How will the antivirus solution providescalability, maintainability, and overall availability ofthe core gateway function?

Performance With bandwidth at a premium, will the

antivirus security solution impact the gatewaysperformance?

Scalability Is the solution able to grow with thecompanys needs? Can it do so without interruptingcritical network services?

Many organizations can address these issues withminor investments in memory upgrades, configuration

changes, or other common practices to support the additionof a new application on an existing system. Others maysetup a dedicated antivirus system as a proxy device. Butmany others will need a more advanced solution toeffectively support their current and long term businessneeds.

The Effective Security SolutionA truly effective Internet gateway antivirus security

solution must be constantly active, current and in full forcewithout causing disruptions to critical network services. AVirusWall must be stable and function transparently to theend user. Stability is achieved by gaining appropriateproduct expertise and through close attention to installation



9/20

and configuration options. But transparency requires thatthe solution function without noticeably impacting the othernetwork applications and services. Todays enterprisenetworks must take into account the high-availability

expectations for critical network services and applications.The most effective antivirus security solution will supportthose expectations through performance, scalability, andmaintainability. Given the complexity of many of todaysenterprise networks even the top performing securitysolutions may soon become inadequate unless it addressesthese issues.

Clustering for Gateway performanceand availability

There is a limit to the high-availability, scalability, andmaintainability that can be achieved with a single securitygateway. Even the option ofupgrading hardware (with moreRAM, faster processors, etc.) will require the interruption ofgateway services. Therefore, using computer-clusteringtechnology to create a VirusWall Cluster can offer many

immediate benefits.

1. A VirusWall Cluster solution provides an enviable qualityof service level through system availability by eliminatingthe single-point-of-failure with redundancy. Even duringscheduled shut-downs users will continue to receive thebenefits and protection of the VirusWall, while individualservers within the cluster are taken off-line for maintenanceor upgrades. And during normal day-to-day operations, a

VirusWall Cluster solution, utilizing Stonesofts StoneBeattechnology, provides true dynamic load balancing across thecluster to optimize the use of all available resources.



10/20

2. A VirusWall Cluster solution provides the scalabilityto addto the number of servers in the cluster to support increasedperformance demands due to company growth or simplyperiods of increased traffic. An unexpectedly high response

to a news or industry event, advertising promotion, etc.would benefit from the temporary addition of one or moreservers rather than lose prospective business due tosystem bottlenecks.

3. Clustering solutions generally offer a straightforwardeconomic advantage by allowing the IT manager to increaseperformance with commodity style PCs rather than invest inlarger systems that have little function beyond the originalpurpose for which they were purchased. However, it is

important to note that generic clustering products, whileimproving availability aspects, commonly create newproblems for the IT manager. Therefore, it is important tochoose a clustering solution designed to manage content.The Stonesoft SecurityCluster is the only scalable highavailability solution dedicated to content scanning. Thispaper will further discuss the characteristics of a fullyengineered, proven, secure high-availability solution.

Antivirus Clustering in Practice

In general, there are three different architecturaloptions used to set up an antivirus cluster: VectoringConfiguration, Gateway/Proxy configuration, and a SplitGateway configuration:

Vectoring ConfigurationA typical vectoring configuration places the antivirus

solution security server in the DMZ, just behind a firewall(Figure 3). In this configuration the firewall sends anypotentially harmful content or malicious code to theVirusWall for inspection before passing it on. Utilizing a



11/20

dedicated communication protocol established between thefirewall and the VirusWall.

Figure 3: Security Servers in a Vectoring Configuration

Gateway / Proxy configuration

Another possible network configuration is the proxyconfiguration (Figure 4). In this topology the antivirus

security server is on the trusted side of the network directlybehind the firewall. This seemingly straightforwardconfiguration has some evidentdownsides if not clustered.



12/20

Figure 4: Security Servers in a Proxy Configuration

Recursive decompression andantivirus scanning makesantivirus protection more CPU-intensive than firewallservices, which means that the security server canpotentially slow down all network traffic. Further, a singlesecurity server in this configuration will take the entire

network down, in the event of a security server outage(planned or unplanned). However, the StoneBeatSecurityCluster solution makes this configuration optionfeasible because the single point of failure is now removedand the computational performance will no longer be anissue. In fact, thanks to clustering, this configurationbecomes very appealing again since it relaxes both the



13/20

firewall and the virus wall from using any additionalprotocols for inter-communication.

Split Gateway / Task specific clusters

Quite often large corporations with intensive networktraffic split the tasks and duties of gateway security servers.For example, SMTP and FTP traffic may be scanned by samethe server, while HTTP traffic could be directed to anotherdedicated server (Figure 5). This option can improve bothperformance and availability to some degree. Whileperformance is not an issue with a clustered VirusWall,clustering each security service separately offers a means totighten the security of each system. This is important sinceservices such as SMTP, HTTP, and FTP have different securityconfiguration requirements. By running services ondedicated clusters, the security of those clusters can betightened to provide only what that specific service requires.

Figure 5: Task specific security servers and clusters



14/20

Stone Beat Antivirus A VirtueIntroduction

Extensive network security requires the use ofdifferenttypes of security servers: e.g. anti-virus gateways, URLfilters and Java and ActiveX filters. These are deployedtogether with the firewall. The high availability and

throughput capacity of firewalls is not an issue, thanks toStoneBeat FullCluster that is used to cluster them. However,security server throughput capacity has not scaled uptogether with the firewall throughput capacity. Now,StoneBeat SecurityCluster offers the same clustering



15/20

features for security servers that StoneBeat FullClusteroffers for firewalls.

Stone Beat Security Cluster The Scalable HighAvailability Solution for Security Servers is a softwaresolution that enables building of continuously availablesecurity servers systems by using a security server softwarevia applicable hardware and operating systems. StoneBeatSecurityCluster interconnects multiple security serversystems to form a scalable security server cluster. Themachines act as a single high-capacity StoneBeatSecurityCluster security server that is never down.

Figure 1 A stand-alone StoneBeat SecurityCluster security server



16/20

Figure 2 A StoneBeat SecurityCluster security server used in conjunction withfirewalls

GearsHardware

StoneBeat SecurityCluster security server includes twoto sixteen standard security servers and an additionalcontrol workstation for security server management. Allsecurity servers have similar interfaces to the Internet withthe same IP and MAC addresses, respectively. Support formulticast MAC addresses enables the operation in switchedEthernet, while unicast MAC addresses can be used inshared Ethernet. Standard security servers areinterconnected with one or two heartbeat links. The IP

address of the first heartbeat interface is used to identify thesecurity server. This heartbeat and control interface has aunique IP address and is used also for managementpurposes, e.g. StoneBeat GUI and security servermanagement use this address to communicate with each ofthe security servers. A dedicated interface for heartbeatensures the communication between the firewalls even



17/20

under heavy network traffic on the internal and externalsegments.

Figure 3 Heartbeat links and control interfaces

Software

All systems in StoneBeat SecurityCluster securityserver run the security server software and StoneBeatSecurityCluster Module. The security servers are managed

from a control workstation.

StoneBeat SecurityCluster Module

The StoneBeat SecurityCluster Module implements theheartbeat protocol between security servers and contains aspecial load balancing filter, which allows each securityserver to receive a portion of the incoming traffic. StoneBeatSecurityCluster Module includes a test subsystem, whichtests the operation of the security server itself continuously.

In addition to the rich set of internal tests, the testprocedures can be tailored to meet specific customerrequirements. The test subsystem will notify theadministrator and activate the load redistribution if a testfails. Load redistribution is also activated if the othersecurity servers fail to get a reply from the one security



18/20

server. Additionally the StoneBeat SecurityCluster Modulecontains an SNMP Agent that can be used to integrate themonitoring of StoneBeat sites to a Corporate NetworkManagement System like HP OpenView.

StoneBeat Management GUI

StoneBeat SecurityCluster features are easily managedby using the Javabased GUI or a command-line basedmanagement utility. The GUI is capable of monitoring thestate of multiple StoneBeat sites. Additionally the GUI can beused to command security server modules online and offline.All control connections with StoneBeat modules are

encrypted using Secure Sockets Layer (SSL) andauthenticated using certificates.

Figure 4 StoneBeat Management GUI

StoneBeat SecurityCluster Configuration GUI

StoneBeat SecurityCluster provides an easy-to-use

web-based configuration GUI. The web based GUI enablesconfiguring all the nodes of a cluster at the same time.Together with the StoneBeat management GUI, theconfiguration GUI allows the administrator to configure andmanage multiple StoneBeat sites remotely synchronizingany changes on the configuration to all nodes of a cluster. Asan alternative to the web based configuration, a native



19/20

WIN32 configuration GUI can be used on Windows NT and aconsole configuration utility is available on all supportedplatforms.

Figure 5 StoneBeat Configuration GUI

ConclusionSecurity Cluster is an initiative that allows computer

networks to secure their networks against viral infections.Although the concept is being in its infancy, it maturessuccessively and fights with viral demons and marches towards

the winning post of unending secured journey.

Bibliographywww.mobilewhitepapers.com

http://www.mobilewhitepapers.com/http://www.mobilewhitepapers.com/


20/20

www.stonebeat.comwww.trendmicro.com

S i Cl 20
http://www.stonebeat.com/http://www.trendmicro.com/http://www.stonebeat.com/http://www.trendmicro.com/

Documents

Antivirus and Content Security Cluster Solution